Trend Micro Calls the Group Well-Resourced and Sophisticated
A cyberespionage campaign by a well-funded but lesser-known hacking group is using previously unknown backdoors to hack government agencies and tech companies.
The group, dubbed “Earth Estries” by researchers at Trend Micro in a Wednesday report, appears well-practiced in cyberespionage, uses multiple backdoors and takes pains to leave a small footprint. Its victims include organizations in the United States, Germany, South Africa, Malaysia, Taiwan and the Philippines.
The group, which has been active since at least 2020, has tactics that overlap with techniques used by another threat group tracked by Eset as FamousSparrow.
“The threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyberespionage and illicit activities,” the Trend Micro researchers wrote.
Among their techniques are downgrading Windows PowerShell into an older version in order to avoid detection from Windows Antimalware Scan Interface’s logging mechanism. The hackers use services such as GitHub, Gmail, AnonFiles and File.io to exchange or transfer commands and stolen data.
Earth Estries hackers get inside a victim company’s computer system and take control of important user accounts. With the help of Cobalt Strike, they spread harmful software and move around the network to do more damage or steal valuable information. They use the Server Message Block protocol and Windows Management Instrumentation command line to propagate backdoors in other computers on the same network.
The hackers use a hard-to-detect and previously rarely seen HTTP backdoor called Zingdoor and information stealers such as TrillClient and HemiGate.
The threat actors regularly remove their existing backdoor after finishing each round of hacking and replace it with new malware before the start of another round. “We believe that they do this to reduce the risk of exposure and detection,” the researchers wrote.